Forum Discussion

Abdulmohsen_Mut's avatar
Abdulmohsen_Mut
Icon for Nimbostratus rankNimbostratus
Mar 22, 2006

Deny Large file download using HTTP::conent-Length

Hi,

 

 

I am trying to implement something similar to the one in the thread titled :redirect POSTs bigger than 1MB

 

http://devcentral.f5.com/Default.aspx?tabid=28&forumid=5&postid=5411&view=topic

 

 

We need to intercept responses to large file download request and close the HTTP session before the download starts. However, i am worried that this will impact the performance of our proxies as thousands of users will be going through the BIG-IP in front of the proxy servers.

 

Also, I need to send the user a small warning html that tell him that downloading files > 50MB is not allowed, by re-writing the payload.

 

 

I am thinking of something like:

 

 

when HTTP_RESPONSE {

 

set clen [HTTP::header Content-Length]

 

if { $clen > 50,000,000} {

 

HTTP::payload replace 0 [HTTP::payload length] $warning_response

 

HTTP::close

 

}

 

log local0. "HTTP_RESPONSE CLEN= $clen "

 

}

 

 

 

 

Please advise on how to achieve this with minimum impact on performance. I am worried that enabling this iRule will cause the BIG-IP to read every HTTP meassage to look for Content-Length. Is there a way to read only required messages ??

 

 

Your support is highly appreciated.

 

application delivery
dev
devops
iRules

3 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Mar 23, 2006
    It looks like you're on the right track so far. Have you tested this rule yet? Is it behaving the way you'd expect?

     

     

    As far as only opening certain packets goes, that's really not feasible. You're deciding which packets to disallow/alter based on information inside the packet, so you have to open all of them to see if they match or not.

     

     

    The up side is, the ones that aren't over your maximum allowed conent length will skip most of the rule, and should cause very little impact to your system.

     

     

    -Colin
  • Abdulmohsen_Mut's avatar
    Abdulmohsen_Mut
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2006
    Thanks Colin.

     

     

    Would you please provide a typical complete iRule that i can use safely for testing. I don't know how would i write the payload with a complete html page. Do i provide a link or do i have to copy the entire html in my code.

     

     

    Your support is highly appreciated.
  • uni's avatar
    uni
    Icon for Altocumulus rankAltocumulus
    Mar 25, 2006
    HTTP::respond might be a better choice than HTTP::payload replace. You get to give them an appropriate response code and I expect is more efficient.

     

     

    Also, I think you should remove the commas from 50,000,000 as this would make it a textual comparison rather than numeric.